Password Manager Security: Staying Safe

TL;DR

Password managers are great, but they’re not perfect. This guide covers common attacks and how to protect yourself with strong master passwords, two-factor authentication (2FA), regular security checks, and being aware of phishing.

1. Understanding the Risks

Attackers target password managers because they hold so much sensitive information. Here are some common threats:

• Phishing: Tricking you into entering your master password on a fake website.
• Keylogging: Software that records your keystrokes, including your master password.
• Malware: Viruses or other malicious software that steals data from your device.
• Brute-Force Attacks: Trying many different passwords until one works (especially if you have a weak master password).
• Credential Stuffing: Using stolen usernames and passwords from other websites to try and log into your password manager.

2. Strong Master Password

Your master password is the key to everything. Make it strong!

1. Length: At least 16 characters, ideally longer.
2. Complexity: Use a mix of uppercase and lowercase letters, numbers, and symbols.
3. Uniqueness: Don’t reuse this password anywhere else!
4. Passphrase: Consider using a passphrase – a sentence that’s easy to remember but hard to guess (e.g., “My cat loves eating fish on Tuesdays”).

Avoid easily guessable information like birthdays, pet names, or common words.

3. Enable Two-Factor Authentication (2FA)

2FA adds an extra layer of security. Even if someone steals your master password, they’ll also need a code from your phone or another device.

1. Choose an Authenticator App: Google Authenticator, Authy, Microsoft Authenticator are good options.
2. Enable 2FA in Your Password Manager Settings: Most password managers offer this feature. Follow the instructions provided by your provider.
3. Backup Codes: Store these securely! You’ll need them if you lose access to your authenticator app.

Example of enabling 2FA in Bitwarden (steps will vary for other managers): Go to Settings > Two-Factor Authentication and follow the on-screen prompts.

4. Keep Your Software Updated

Updates often include security fixes that protect against new threats.

• Password Manager App: Update regularly on all your devices (phone, computer, tablet).
• Operating System: Windows, macOS, iOS, Android – keep these updated too.
• Web Browser: Chrome, Firefox, Safari, Edge – ensure you have the latest version.

5. Be Wary of Phishing Attempts

Phishing is a common way to steal your master password.

• Check the URL: Make sure you’re on the correct website before entering any information. Look for HTTPS and a valid security certificate.
• Don’t Click Suspicious Links: Be careful about links in emails or messages, even if they look legitimate.
• Verify Requests: If you receive an email asking you to change your password, contact your password manager provider directly to confirm it’s genuine.

6. Regular Security Checks

Many password managers offer security reports.

• Weak Passwords: Identify and update any weak or reused passwords stored in your vault.
• Compromised Credentials: Check if any of your logins have been involved in data breaches (Have I Been Pwned is a useful resource).

7. Device Security

Protect the devices you use to access your password manager.

• Antivirus Software: Install and keep updated on all computers.
• Firewall: Enable a firewall to block unauthorized access.
• Screen Lock: Use a strong PIN or biometric lock on your phone and tablet.